From 49428ab37e6f3792e67beb42d726bbbefaf6d5e4 Mon Sep 17 00:00:00 2001
From: "Paula V. Quispe" <paula.quispe@colosa.com>
Date: Fri, 20 Mar 2015 14:24:44 -0400
Subject: [PATCH] I reviewed the XSS - MEDIUM in files

---
 rbac/public_html/sysUnnamed.php               |  4 ++-
 workflow/engine/includes/inc.JSForms.php      | 15 +++++++--
 .../methods/cases/proxyPMTablesFieldList.php  | 32 +++++++++++++++----
 .../methods/cases/proxyPMTablesList.php       | 16 ++++++++--
 .../methods/cases/proxyPMTablesSaveFields.php |  9 ++++++
 .../engine/methods/cases/proxyProcessList.php |  7 ++++
 workflow/engine/methods/install/r.php         | 16 ++++++++++
 .../processes/processes_checkProperties.php   |  3 ++
 workflow/engine/methods/setup/setup.php       |  6 ++++
 .../templates/cases/missRequiredFields.php    |  8 +++--
 .../engine/templates/cases/showDebugFrame.php |  9 ++++--
 .../templates/cases/showDebugFrameBreaker.php |  8 +++--
 .../templates/reportTables/mainLoad.php       | 10 +++++-
 .../templates/setup/mailConnectiontest.php    |  7 +++-
 14 files changed, 130 insertions(+), 20 deletions(-)

diff --git a/rbac/public_html/sysUnnamed.php b/rbac/public_html/sysUnnamed.php
index 1a0f16886..4733a35b6 100755
--- a/rbac/public_html/sysUnnamed.php
+++ b/rbac/public_html/sysUnnamed.php
@@ -5,7 +5,9 @@
 //  define("URL_KEY", 'c0l0s40pt1mu59r1m3' );
 //  define("ENABLE_ENCRYPT", 'yes' );
 
-  $COMPLETE_URI = $_SERVER["REQUEST_URI"];
+  G::LoadSystem('inputfilter');
+  $filter = new InputFilter();
+  $COMPLETE_URI = $filter->xssFilterHard($_SERVER["REQUEST_URI"]);
 
   $webAddress = substr($COMPLETE_URI,1);
   $COMPLETE_URI = strtolower ($COMPLETE_URI) . "/mNE/qsll/n9KX1Z4/n9KX1Z6hnKTd4A";
diff --git a/workflow/engine/includes/inc.JSForms.php b/workflow/engine/includes/inc.JSForms.php
index f4b33b5aa..e1cfd4f5a 100755
--- a/workflow/engine/includes/inc.JSForms.php
+++ b/workflow/engine/includes/inc.JSForms.php
@@ -23,12 +23,19 @@
  * 
  */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
 global $HTTP_SESSION_VARS;
 global $G_FORM;
+$HTTP_SESSION_VARS = $filter->xssFilterHard($HTTP_SESSION_VARS);
+$HTTP_GET_VARS = $filter->xssFilterHard($HTTP_GET_VARS);
+$_GET = $filter->xssFilterHard($_GET);
+
 $path = '';
 $showFieldAjax = 'showFieldAjax.php';
 
 $serverAjax = G::encryptLink($path.$showFieldAjax);
+$serverAjax = $filter->xssFilterHard($serverAjax);
 
 ?>
 <script language="JavaScript">
@@ -40,10 +47,14 @@ function RefreshDependentFields(ObjectName, Fields, InitValue) {
   global $HTTP_GET_VARS;
   if ($HTTP_SESSION_VARS['CURRENT_APPLICATION'] == '') $HTTP_SESSION_VARS['CURRENT_APPLICATION'] = '0';
   	$appid = $HTTP_SESSION_VARS['CURRENT_APPLICATION'];
-  	if ($HTTP_GET_VARS['dynaform'] != '')
+  	if ($HTTP_GET_VARS['dynaform'] != ''){
   	  $Dynaform = '&__dynaform__=' . $HTTP_GET_VARS['dynaform'];
-  	if ($HTTP_GET_VARS['filename'] != '')
+  	  $Dynaform = $filter->xssFilterHard($Dynaform);
+  	}
+  	if ($HTTP_GET_VARS['filename'] != ''){
   	  $Dynaform = '&__filename__=' . $HTTP_GET_VARS['filename'];
+  	  $Dynaform = $filter->xssFilterHard($Dynaform);
+  	}
 
 ?>
 
diff --git a/workflow/engine/methods/cases/proxyPMTablesFieldList.php b/workflow/engine/methods/cases/proxyPMTablesFieldList.php
index 671ec382c..0cc1756ea 100644
--- a/workflow/engine/methods/cases/proxyPMTablesFieldList.php
+++ b/workflow/engine/methods/cases/proxyPMTablesFieldList.php
@@ -502,6 +502,8 @@ function fieldReset($translation)
 
 function fieldComplete($translation)
 {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
     global $action;
 
     $arrayField  = getDefaultFields($action, $translation);
@@ -509,10 +511,15 @@ function fieldComplete($translation)
 
     //Get values from JSON request
     $first  = G::json_decode((isset($_POST["first"]))?  $_POST["first"] :  G::json_encode(array()));
+    $first  = $filter->xssFilterHard($first);
     $second = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
+    $second = $filter->xssFilterHard($second);
     $pmtable = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
+    $pmtable = $filter->xssFilterHard($pmtable);
     $rowsperpage = (isset($_POST["rowsperpage"]))? $_POST["rowsperpage"] : $arrayConfig["rowsperpage"];
+    $rowsperpage = $filter->xssFilterHard($rowsperpage);
     $dateformat  = (isset($_POST["dateformat"]) && !empty($_POST["dateformat"]))? $_POST["dateformat"] : $arrayConfig["dateformat"];
+    $dateformat = $filter->xssFilterHard($dateformat);
 
     //Complete fields
     foreach ($first as $index1 => $value1) {
@@ -560,17 +567,24 @@ function fieldComplete($translation)
 
 function fieldLabelReset($translation)
 {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
     global $action;
 
     $arrayField  = getDefaultFields($action, $translation);
     $arrayConfig = getDefaultConfig($action, $translation);
 
     //Get values from JSON request
-    $first  = G::json_decode((isset($_POST["first"]))?  $_POST["first"] :  G::json_encode(array()));
-    $second = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
-    $pmtable = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
+    $first       = G::json_decode((isset($_POST["first"]))?  $_POST["first"] :  G::json_encode(array()));
+    $first       = $filter->xssFilterHard($first);
+    $second      = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
+    $second      = $filter->xssFilterHard($second);
+    $pmtable     = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
+    $pmtable     = $filter->xssFilterHard($pmtable);
     $rowsperpage = (isset($_POST["rowsperpage"]))? $_POST["rowsperpage"] : $arrayConfig["rowsperpage"];
+    $rowsperpage = $filter->xssFilterHard($rowsperpage);
     $dateformat  = (isset($_POST["dateformat"]) && !empty($_POST["dateformat"]))? $_POST["dateformat"] : $arrayConfig["dateformat"];
+    $dateformat  = $filter->xssFilterHard($dateformat);
 
     //Reset label's fields
     foreach ($second as $index1 => $value1) {
@@ -592,6 +606,8 @@ function fieldLabelReset($translation)
 
 function fieldSave()
 {
+    G::LoadSystem('inputfilter');
+    $filter = new InputFilter();
     global $conf;
     global $action;
 
@@ -599,11 +615,15 @@ function fieldSave()
     $arrayConfig = getDefaultConfig($action, 0);
 
     //Get values from JSON request
-    $first  = G::json_decode((isset($_POST["first"]))?  $_POST["first"] :  G::json_encode(array()));
-    $second = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
-    $pmtable = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
+    $first       = G::json_decode((isset($_POST["first"]))?  $_POST["first"] :  G::json_encode(array()));
+    $first       = $filter->xssFilterHard($first);
+    $second      = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
+    $pmtable     = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
+    $pmtable     = $filter->xssFilterHard($pmtable);
     $rowsperpage = (isset($_POST["rowsperpage"]))? $_POST["rowsperpage"] : $arrayConfig["rowsperpage"];
+    $rowsperpage = $filter->xssFilterHard($rowsperpage);
     $dateformat  = (isset($_POST["dateformat"]) && !empty($_POST["dateformat"]))? $_POST["dateformat"] : $arrayConfig["dateformat"];
+    $dateformat  = $filter->xssFilterHard($dateformat);
 
     //Adding the key fields to second array
     //Required fields for AppCacheView.php - addPMFieldsToCriteria()
diff --git a/workflow/engine/methods/cases/proxyPMTablesList.php b/workflow/engine/methods/cases/proxyPMTablesList.php
index 9a5f47264..33b9d2142 100644
--- a/workflow/engine/methods/cases/proxyPMTablesList.php
+++ b/workflow/engine/methods/cases/proxyPMTablesList.php
@@ -1,12 +1,22 @@
 <?php
+
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
+
 $callback = isset($_POST['callback']) ? $_POST['callback'] : 'stcCallback1001';
-$dir    = isset($_POST['dir'])    ? $_POST['dir']    : 'DESC';
-$sort   = isset($_POST['sort'])   ? $_POST['sort']   : '';
-$query  = isset($_POST['query']) ? $_POST['query'] : '';
+$callback = $filter->xssFilterHard($callback);
+$dir      = isset($_POST['dir'])    ? $_POST['dir']    : 'DESC';
+$dir      = $filter->xssFilterHard($dir);
+$sort     = isset($_POST['sort'])   ? $_POST['sort']   : '';
+$sort     = $filter->xssFilterHard($sort);
+$query    = isset($_POST['query']) ? $_POST['query'] : '';
+$query    = $filter->xssFilterHard($query);
 $option = '';
 
 if ( isset($_GET['t'] ) ) {
     $option = $_GET['t'];
+    $option = $filter->xssFilterHard($option);
 }
 
 try {
diff --git a/workflow/engine/methods/cases/proxyPMTablesSaveFields.php b/workflow/engine/methods/cases/proxyPMTablesSaveFields.php
index 7303dc129..d79fcd15a 100644
--- a/workflow/engine/methods/cases/proxyPMTablesSaveFields.php
+++ b/workflow/engine/methods/cases/proxyPMTablesSaveFields.php
@@ -5,12 +5,21 @@
  * and open the template in the editor.
  */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+
 $callback = isset($_POST['callback']) ? $_POST['callback'] : 'stcCallback1001';
+$callback = $filter->xssFilterHard($callback);
 $dir      = isset($_POST['dir'])    ? $_POST['dir']    : 'DESC';
+$dir      = $filter->xssFilterHard($dir);
 $sort     = isset($_POST['sort'])   ? $_POST['sort']   : '';
+$sort     = $filter->xssFilterHard($sort);
 $query    = isset($_POST['query'])  ? $_POST['query']  : '';
+$query    = $filter->xssFilterHard($query);
 $tabUid   = isset($_POST['table'])  ? $_POST['table']  : '';
+$tabUid   = $filter->xssFilterHard($tabUid);
 $action   = isset($_POST['action']) ? $_POST['action'] : 'todo';
+$action   = $filter->xssFilterHard($action);
 
 try {
     G::LoadClass("BasePeer" );
diff --git a/workflow/engine/methods/cases/proxyProcessList.php b/workflow/engine/methods/cases/proxyProcessList.php
index 9f7256d30..c522a6732 100755
--- a/workflow/engine/methods/cases/proxyProcessList.php
+++ b/workflow/engine/methods/cases/proxyProcessList.php
@@ -1,4 +1,11 @@
 <?php
+
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
+$_GET['t'] = $filter->xssFilterHard($_GET['t']);
+
 $callback = isset( $_POST['callback'] ) ? $_POST['callback'] : 'stcCallback1001';
 $dir = isset( $_POST['dir'] ) ? $_POST['dir'] : 'DESC';
 $sort = isset( $_POST['sort'] ) ? $_POST['sort'] : '';
diff --git a/workflow/engine/methods/install/r.php b/workflow/engine/methods/install/r.php
index 3c6f83bee..9dac82170 100755
--- a/workflow/engine/methods/install/r.php
+++ b/workflow/engine/methods/install/r.php
@@ -1,3 +1,19 @@
+<?php 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+if(isset($_GET['srv'])) {
+    $_GET['srv'] = $filter->xssFilterHard($_GET['srv']);
+}
+if(isset($_GET['usr'])) {
+    $_GET['usr'] = $filter->xssFilterHard($_GET['usr']);
+}
+if(isset($_GET['pass'])) {
+    $_GET['pass'] = $filter->xssFilterHard($_GET['pass']);
+}
+if(isset($_GET['gen'])) {
+    $_GET['gen'] = $filter->xssFilterHard($_GET['gen']);
+}
+?>
 <form action="r">
 	Server: <input type="text" name="srv"
 		value="<?php echo isset($_GET['srv'])?$_GET['srv']:'';?>"> User: <input
diff --git a/workflow/engine/methods/processes/processes_checkProperties.php b/workflow/engine/methods/processes/processes_checkProperties.php
index d00bcf538..654b6861c 100755
--- a/workflow/engine/methods/processes/processes_checkProperties.php
+++ b/workflow/engine/methods/processes/processes_checkProperties.php
@@ -45,7 +45,10 @@ if ($access != 1) {
     }
 }
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
 $form = $_POST['form'];
+$form = $filter->xssFilterHard($form);
 
 //$tasUid = $form['TASKS'];
 $tasUid = $form['TAS_PARENT'];
diff --git a/workflow/engine/methods/setup/setup.php b/workflow/engine/methods/setup/setup.php
index 3474063f4..022c36cff 100755
--- a/workflow/engine/methods/setup/setup.php
+++ b/workflow/engine/methods/setup/setup.php
@@ -29,6 +29,12 @@
  * @date Apr 5th, 2010
  */
 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_GET['i18'] = $filter->xssFilterHard($_GET['i18']);
+$_GET['newSite'] = $filter->xssFilterHard($_GET['newSite']);
+$_GET['module'] = $filter->xssFilterHard($_GET['module']);
+
 if (($RBAC_Response = $RBAC->userCanAccess( "PM_SETUP" )) != 1)
     return $RBAC_Response;
 
diff --git a/workflow/engine/templates/cases/missRequiredFields.php b/workflow/engine/templates/cases/missRequiredFields.php
index 340b8b7d4..e71cd60ed 100755
--- a/workflow/engine/templates/cases/missRequiredFields.php
+++ b/workflow/engine/templates/cases/missRequiredFields.php
@@ -30,7 +30,11 @@
  * @LastModification 30/05/2008
  */
 
-	
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_POST = $filter->xssFilterHard($_POST);
+$ID_ERROR = $filter->xssFilterHard(G::LoadTranslation('ID_ERROR'));
+$ID_REQUIRED_FIELDS_ERROR = $filter->xssFilterHard(G::LoadTranslation('ID_REQUIRED_FIELDS_ERROR'));
 
     $width_content = '500px';
 	
@@ -39,7 +43,7 @@
 	<div class="boxContentBlue">
   		<table width="100%" style="margin:0px;" cellspacing="0" cellpadding="0">
   			<tr>
-	  			<td class="userGroupTitle"><font color="red">'.G::LoadTranslation('ID_ERROR').'! </font> '.G::LoadTranslation('ID_REQUIRED_FIELDS_ERROR').'</td>
+	  			<td class="userGroupTitle"><font color="red">'.$ID_ERROR.'! </font> '.$ID_REQUIRED_FIELDS_ERROR.'</td>
   			</tr>
 		</table>
 	</div>
diff --git a/workflow/engine/templates/cases/showDebugFrame.php b/workflow/engine/templates/cases/showDebugFrame.php
index ab0a480b0..f110b962f 100755
--- a/workflow/engine/templates/cases/showDebugFrame.php
+++ b/workflow/engine/templates/cases/showDebugFrame.php
@@ -31,6 +31,10 @@
  */
 
 G::LoadClass('case');
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+$_SESSION = $filter->xssFilterHard($_SESSION, "url");
+$nextStep = $filter->xssFilterHard($_POST['NextStep'], "url");
 
 //variables
 $oApp= new Cases();
@@ -44,6 +48,7 @@ for ($i=0; $i<count($_SESSION['TRIGGER_DEBUG']['DATA']); $i++) {
 }
 
 $aVariables = array_merge($aFields['APP_DATA'], $aVariables);
+$aVariables = $filter->xssFilterHard($aVariables);
 ksort($aVariables);
 
 //triggers
@@ -262,9 +267,9 @@ if (count($DEBUG_POST) > 0) {?>
 
 <!---->
 
-<?php if (isset($_POST['NextStep'])) {?>
+<?php if (isset($nextStep)) {?>
     <input type="button" value="Continue" class="module_app_button___gray" onclick="javascript:location.href='
-    <?php echo $_POST['NextStep']; ?>'">
+    <?php echo $nextStep; ?>'">
     <?php
 }?>
 
diff --git a/workflow/engine/templates/cases/showDebugFrameBreaker.php b/workflow/engine/templates/cases/showDebugFrameBreaker.php
index 13ce290b1..9794e8ff8 100755
--- a/workflow/engine/templates/cases/showDebugFrameBreaker.php
+++ b/workflow/engine/templates/cases/showDebugFrameBreaker.php
@@ -1,8 +1,12 @@
-<?php if (isset($_POST['NextStep'])) {?>
+<?php 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+if (isset($_POST['NextStep'])) {
+    $nextStep = $filter->xssFilterHard($_POST['NextStep'], "url"); ?>
     <div class="ui-widget-header ui-corner-all" width="100%" align="center">
     Processmaker - Debugger (Break Point)&nbsp;&nbsp;&nbsp;&nbsp;
     <input type="button" value="Continue" class="module_app_button___gray"
-    onclick="javascript:location.href='<?php echo $_POST['NextStep']; ?>'">
+    onclick="javascript:location.href='<?php echo $nextStep; ?>'">
     </div>
     <?php
       }
diff --git a/workflow/engine/templates/reportTables/mainLoad.php b/workflow/engine/templates/reportTables/mainLoad.php
index a60cf36da..8560676e5 100755
--- a/workflow/engine/templates/reportTables/mainLoad.php
+++ b/workflow/engine/templates/reportTables/mainLoad.php
@@ -1,3 +1,11 @@
+<?php 
+G::LoadSystem('inputfilter');
+$filter = new InputFilter();
+if(isset($_GET['gui'])) {
+    $_GET['gui'] = $filter->xssFilterHard($_GET['gui']);
+    $gui = $_GET['gui'];
+}
+?>
 <html>
 <style>
 .Footer{
@@ -12,7 +20,7 @@
 }
 </style>
 <body onresize="autoResizeScreen()" onload="autoResizeScreen()">
-<iframe name="frameMain" id="frameMain" src ="../reportTables/mainInit?PRO_UID=<?php echo $_GET['gui']?>" width="99%" height="200" frameborder="0">
+<iframe name="frameMain" id="frameMain" src ="../reportTables/mainInit?PRO_UID=<?php echo $gui?>" width="99%" height="200" frameborder="0">
   <p>Your browser does not support iframes.</p>
 </iframe>
 </body>
diff --git a/workflow/engine/templates/setup/mailConnectiontest.php b/workflow/engine/templates/setup/mailConnectiontest.php
index f779a7e20..04e37285e 100755
--- a/workflow/engine/templates/setup/mailConnectiontest.php
+++ b/workflow/engine/templates/setup/mailConnectiontest.php
@@ -32,16 +32,21 @@
  */
 
 	
+    G::LoadSystem('inputfilter');
     G::LoadClass('net');
     $host = new net($_POST['srv']);
+    $host = $filter->xssFilterHard($host);
     $width_content = '550px';
+    $filter = new InputFilter();
+    $_POST = $filter->xssFilterHard($_POST);
+    $ID_SETUP_MAILCONF_TITLE = $filter->xssFilterHard(G::loadTranslation('ID_SETUP_MAILCONF_TITLE'));
     
 	$html = '
 	<div class="boxTopBlue"><div class="a"></div><div class="b"></div><div class="c"></div></div>
 	<div class="boxContentBlue">
 		<table style="margin:0px;" cellspacing="0" cellpadding="0">
 			<tr>
-				<td class="userGroupTitle"><center>'.G::loadTranslation('ID_SETUP_MAILCONF_TITLE').'</center></td>
+				<td class="userGroupTitle"><center>'.$ID_SETUP_MAILCONF_TITLE.'</center></td>
 			</tr>
 		</table>
 	</div>